[Bro] Can not dump the first packet?
robin at icir.org
Mon Jan 14 12:22:14 PST 2008
On Sun, Jan 13, 2008 at 21:04 +0800, you wrote:
> But I found that the first packet (always the SYN packet) of the
> connection was missed in the pcap file.
This is due to the connection compressor. The compressor defers
instantiating connection state until it sees packets from both
sides, which is why it can't raise events such as tcp_packet()
immediately with the first packet (the event carries a connection
parameter). Not sure what the best fix for this is (if there's any
at all) but you can work around the problem by turning the
compressor off via "redef use_connection_compressor=F".
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro